<allow (or <deny)
users="comma-separated list of users"
roles="comma-separated list of roles"
verbs="comma-separated list of verbs"
Two special identities:
||Refers to all identities
||Refers to the anonymous identity
Typical scenario, when you need to allow some roles,
but not any authenticated users you will write:
<allow roles="someusers, administrators"/>
<deny users="*" />
The order in which those elements appear determines the inportance.
In the example above although all users are denied access by deny *,
someusers and administrators will still have access,
because corresppopnding allow was placed above deny.